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Cyber  Force  Development  Challenges 


Customizable  and  scalable  training  solutions  for  globally  dispersed 
cyber  operations  forces 

Establishment  of  CMF  collective  training  program 


“Our  highest  priority  is  developing  and  managing  individual,  collective, 
and  sustainment  training  for  our  cyber  mission  forces.”  cg,  arcyber  (2014) 

GCD  Overview 
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FY15  Initiatives 


Gaining  Cyber  Dominance  Program 

•  Army  topology  development 

•  PCTC  infrastructure  refresh 

•  RCC  training  and  exercises  (unclassified) 

•  CPT  training  and  exercises  (unclassified/classified) 
Classified  training  environment 

•  STEP  infrastructure  on  JIOR 
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GCD  Program  Overview 


S  Improve  Individual  Operator  Skills 
S  Improve  RCC/CPT  Team  Skills 
✓  Establish  integration  of  RCC/ADOC/JFHQ-C/CPT 
S  Provide  input  to  RCC  of  the  Year  Award 


Initial 

Individual 

Training 

(FedVTE) 


Collective 

Monthly 

Exercises 

(STEP) 


The  “CYBER 
Dominance ” 
Team! 


ELITE  MERCURY 
Capstone  Event 


The  Team! 


END  STATE: 

Cyber  training  and  exercise  program  that  provides 
hands  on  training  for  RCCs  and  CMF  teams  to 
exercise  and  refine  operational  TTPs  and  mission 
command  including  alignment  with  joint  training 
standards  and  the  ability  to  evaluate  mission  ready 
status  of  forces. 
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CMF  Training  Approach 


US  Army 

Regional  Cyber  Centers 
Theater  Signal  Command 


~  » 


Cyber  Flag  STEP 
Platform 

Cyber  Guard 


m  r«p  q 

Gaining  Cyber 
Dominance 


Individual 

Training 

(FedVTE) 


Unit  Lead 
Collective 
Training 
Sandbox 


Facilitated 

Collective 

Exercises 


ELITE 

MERCURY 

Culminating 

Training 

Exercise 


CMF 

Training 


ARCYBER  CPT  CONOPS 
USCC  CPT  CONOPS 
USCC  CMF  T&R  Manual 
USCC  CFCOE 


CM 


-  Software  Engineering  Institute  Carnegie  Mellon  University 


GCD  Overview 
January  2015 

©2014  Carnegie  Mellon  University 


Program  Objectives 


1.  Offer  challenging  training  opportunities  tailored  to  meet  the  needs  of 
the  RCCs  and  CPTs 

2.  Enlarge  the  RCC  training  audience  to  include  the  RCC  director  - 
exercising  Mission  Command 

3.  Build  an  enlarged/more  complex  virtual  environment  with  a 
continued  focus  on  realism 

4.  Within  CPTs,  focus  on  squads  first,  teams  second 

5.  Work  with  NETCOM/ARCYBER/USCC  leadership  to  prioritize  effort 
to  establish  JIOR  nodes  in  each  RCC  and  the  ADOC 

6.  Enhance  program  flexibility  where  possible  in  order  to  adjust 
vignettes  based  on  RCC  standardization  decisions,  doctrine  and  TTP 
development,  force  structure  modifications,  and  short  notice 
collective  training  preparation  (ex.  Pre-Cyber  Guard  train-up) 

7.  Build  on  relationship  with  1st  10  command  that  was  initiated  during 
GCD  14 
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Training  Themes 


Experience  with  new  operational  capabilities 
Validation  of  existing  TTPs/SOPs 
Development  of  new  TTPs/SOPs 
Incident  reporting 
RCC/CPT/ADOC  interaction 
CPT  squad  operations 
Exposure  to  emerging  threats 
Deployment/Exercise  prep 
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GCD  15  Training  Objectives 


Demonstrate  the  ability  to  detect,  respond  to,  and  recover  from  a  cyber 
attack 

Support  the  intelligence  cycle  by  performing  cyber  threat/event  analysis 

Develop  procedures  to  coordinate  with  JFHQ-C  during  RCC  and  CPT 
operations 

Demonstrate  the  ability  to  engage  RCC  leadership  and  perform  critical 
decision  making  during  cyber-kinetic  operations 

Assess  emerging  doctrine  ISO  RCC  and  CPT  mission  integration  during 
operations 

Demonstrate  the  ability  to  perform  CPT  squad  level  3000  tasks 
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USCC  T&R  Manual 

CPT  identifies  &  protects  assets  critical  to  mission  accomplishment 

CPT  defends  Cyber  Key  Terrain  &  critical  assets  in  larger/overlapping 
areas  of  operation 

Operates  across  Service  controlled  terrain;  Protects  Service  &  CCDRs’ 
priorities  ISO  operational  needs 


“USCYBERCOM  and  CMF  leaders  and  staffs  shall  use  the  CMF  T&R 
Manual  to  develop  their  training  and  assessment  plans  for  individual, 
staff,  and  collective  levels.  They  will  ensure  that  CMF  exercise  events 
incorporate  CMF  T&R  Manual  standards  for  assessment  team  readiness 
to  perform  our  mission.”  -  ADM  Rogers 
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CPT  Training  Resources 


Individual  skill  building 

•  FedVTE/PCTC  courses  --  lectures,  demonstrations,  labs 

Collective  experience  building 

•  Scenario  vignette  library  focusing  on  squad  operations 

•  Facilitated  exercises 
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Vignette  Library 


CPT  Operations 

•  Prepare  Phase 

•  Execution  Phase 

-  Survey 

-  Secure 

-  Protect 

-  Recover 
Squads 

•  Mission  Protect 

•  Cyber  Readiness 

•  Cyber  Support 

•  Discovery  &  Counter-Infiltration 

•  Cyber  Threat  Emulation 


Software  Engineering  Institute 


Carnegie 
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Training  Battle  Rhythm 


RCC 


Month 

Event 

December  -  February 

TEXN  Build  (CMU-SEI) 

March 

Cyber  Sandbox  1  (24x7) 

April 

Mercury  Challenge  1  (4hr) 

May 

Cyber  Sandbox  2  (24x7) 

June 

Mercury  Challenge  2  (4hr) 

July 

Cyber  Sandbox  3  (24x7) 

August 

Mercury  Challenge  3  (4hr) 

September 

Elite  Mercury  CTE  (8hr) 

CPT 


Month 

Event 

December  -  February 

TEXN  Build  (CMU-SEI) 

March 

RCC  Configuration 

April 

PTE  Go-Live 

May 

CPT  Exercise  1  (4hr) 

June 

Squad  Vignette  Training 

July 

CPT  Exercise  2  (4hr) 

August 

Squad  Vignette  Training 

September 

Squad  Vignette  Training 

—  GCD  Overview 
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Training  Partnership 


Event  Design 

•  RCC/CPT  trusted  agent 

•  Design  review 


Foundation 


i/iAias 

[ 


Assessment  Strategies 

•  Embedded  Observers 

•  Training  Coordinators 

•  Hotwash/Shot  Validation 

•  White  Cell 


Software  Engineering  Institute 
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Virtual  Training  Environments 


Training  enabler  -  Focus  on  providing  the  capability  for  units  to  conduct 
small  team  collective  training  while  addressing  time  and  scale 

Environments  based  on  training  objectives 

•  Unclassified  (NIPR) 

•  Classified  (JIOR) 

Platform  and  environment  as  a  managed  service 

•  Rapid  prototyping  based  on  training  requirements  (e.g.  integrated  JQR 
training  database) 
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CERT®  Private  Cyber  Training  Cloud 
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Intuitive  Learning  Management  System 
Thousands  of  hours  of  captured  training 

•  Lectures,  Demos,  Hands-on  Labs 

Robust  team  exercise  and  simulation 

•  Air-gapped;  isolation  from  production  networks 

•  “Train  as  you  fight”  scenarios 

•  Advanced  user  and  Internet  Simulation 


Announcing  i  tJow  Hitform  lor  Cyhar  Wonkforc*  Dovalopmani 

CERT  PC1C  (Pmah!  C,b»r  Tram  n  j  Clou  d)  oombmaa  himm  naaaretv  and 
•onovaOia  tactinotopr  to  sfltr  a  n-f#  Mtotton  to  (ybaraacundr  wordtorc*  davttapmijnl 
hdlptnp  and  ttmr  laamd  build  *iia*l*dfl«.  tojts  and  arpulano*  In  a 

ununuaui  wf*  dr t>dr*d*tonvi  ai™mm|ti  Tn*  mu  ry 

Id  -up.*  iPlrmnY!  taUhriailn*.  iUH.  *i*d  K*w*1*hd*  l« 
won j- rtjdi  and  aAodvilr  partotmi  ttialr  duh-s  Indwdualtj  making  irrprdvnianls 
and  caltartiatjf  mwing  M  crgamutton  toward 


i&Xi 


m.. 


lAj  HiSj 


On  rji.imainJ  llanda-nn  Pragrcras  dndi 

Itietufa  Vlriiul  Ldba  tromplBdoni 

Roportkig 


fiaartrla  gar  ■Innas?  j»(n  in  todw 


■  rn  9o*D0?#n  a  o  o  \ 

Scdnarto  Map  Hgvls  Psbpfd  Ifol#*  Ouii  H*lp  Seals  RtiCrtf  Prp|(ctiOm  Portal  Plptf&im  DispUc^d 


Botnet  a 

Robot  Networks  -  Botnet 


Atoteeflen  of  eoffipfcmlBid  tortipulflfa«ei™ietr«iiv&iaiid  *Mch  can 
used  for 

■  Trpjan.-tirLd,  Andtorwignn  pmpdgalicin 
■■  Spam  andfor  phnhng  -sffacfcs 

■  D^nlpl  ijfSsrd^  ettach* 

■  Lttaincg  personal  nfc-mnlton  dirbugh 

Bpfua 

Is55?t 

InlllBl  COiTplQlTVSe 

■■  Enal  fdtochrrerls  aid  ink-: 

■  Install  MeessgnQ  HllBcJ'v'^ta- 

■  U n patched  a yxldm  mptlli 

■  Lank  dl  riHi*r:ik  aanrlioi’  rre*$U 


Q.  -  ■ 

!  it  . 


to  MT  r  I  SW  iYl  ■a-n'fl 
0O«4  kl  M  1UI  Sj  lrU 

devta  to  rid  d-taori  dings- ami 
nuttrr-H t  by  *1  *»:+>1  rnjto  HSW 
nl'll  DM  I'TIU'.-d^ld  k'f 


1  <  D0  7 


0“| 

►  NETCOM 

lVK  1 

^ ^ 

-  Software  Engineering  Institute  Carnegie  Mellon  University 


GCD  Overview 
January  2015 

©2014  Carnegie  Mellon  University 


Training  &  Exercise  Network  (TEXN) 


Build  the  most  realistic  representation  of  an  Army  enterprise  yet  for 
multi-mission  element  training 

Incorporate  Joint  Regional  Security  Stack  (JRSS)  systems 
Current  design  based  on  inputs  from  RCC 

•  Many  enterprise  variations  in  the  real  world  meant  a  single  environment  could 
not  represent  every  region 

CPT  Capability  Integration 

•  Security  Onion 

•  SIFT  (Linux/Windows) 

•  Kali 

•  Rucksack 

•  Docker 

•  VTS 
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TEXN  Architecture 


CMU/SEI  GCD15  TOPOLOGY 

UNCLASSIFIED//FOUO 

NIPR 
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Training  Collaboration 


NETCOM 

•  Integration  of  RCC,  CPT,  ADOC,  and  1st  10 

Cyber  Protection  Brigade 

•  Individual  training  proficiency  tracking  (JQR) 

•  CPT  training  requirements 

Cyber  Center  of  Excellence 

•  Training  advancements  for  emerging  missions 

•  TTP/SOP  development  and  codification 

CECOM 

•  Army  cyber  range  working  group 

ARCYBER  JFQH-C 

•  Training  coordination 

•  CMF  training  alignment 
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Curriculum  Development 


Leverage  PCTC  beyond  the  exercise  portal 

Custom  course  development  integrating  LMS  features,  courses,  and 
labs 

Integration  of  Army  training  content 
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QUESTIONS 


Software  Engineering  Institute 
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Contact  Information 


Bruce  Madalinski,  NETCOM  G3/5/7  TREX 
bruce.a.madalinski.civ@mail.mil 

520-538-8439 

Greg  Longo,  CMU/SEI 

qql@cert.org 

412-268-8330 
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BACKUP 


Software  Engineering  Institute 


Carnegie  Mellon  University 


GCD  Overview 
January  2015 

©2014  Carnegie  Mellon  University 


23 


CWDi  Approach  to  Training 

•  Knowledge  Building: 
lectures  and  demos 

•  Skill  building: 
hands-on  labs 

•  Experience  building: 
team-based  exercises 

•  Evaluation 


Software  Engineering  Institute 


Carnegie 
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ART  5.9.1. 2  Conduct  Defensive  Cyberspace  Operations 

Units  conduct  and  coordinate,  as  required,  defensive  cyberspace 
operations  to  effectively  detect,  identify,  and  respond  to  enemy  and 
adversary  actions  against  friendly  networks  and  information  resident  in 
these  networks.  (FM  3-38)  (USAMCCoE) 


No. 

Scale 

Measure 

01 

Yes/No 

Unit  employed  tactics,  techniques,  and  procedures  to  detect  intrusions  and 
cyber  attacks  into  the  Army’s  portion  of  the  Department  of  Defense 
information  networks  called  LandWarNet, 

02 

Yes/No 

Unit  coordinated,  deconflicted,  and  conducted  defensive  cyberspace  operation 
response  actions  outside  the  LandWarNet. 

03 

Yes/No 

Unit  coordinated,  deconflicted,  and  employed  internal  defensive  measures 
inside  the  LandWarNet. 

04 

Yes/No 

Unit  conducted  rehearsals  to  react  to  enemy  cyber  attacks  on  friendly 
networks  and  per  operation  order,  battle  drills,  and  standard  operating 
procedures. 

05 

Yes/No 

Unit  coordinated  and  conducted  cyberspace  information  collection  to  support 
defensive  cyberspace  operations. 

06 

Yes/No 

Unit  developed  and  submitted  cyber  effects  request  formats  as  required  in  support 
of  defensive  cyberspace  operations. 

Condition 

-  Using  network 
resources  while 
under  cyber  attack 

-  Operate  through 
degraded  network 
conditions 
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ART  5.9.1. 3  Coordinate  Network  Operations 


Units  that  perform  this  task  coordinate,  integrate,  and  synchronize 
network  operations  within  Department  of  Defense  information  networks 
and  the  LandWarNet  to  support  cyberspace  operations.  (FM  3-38) 
(USAMCCoE) 


No. 

Scale 

Measure 

01 

Yes/No 

Unit  enabled  and  facilitated  cyberspace  operations  inside  friendly  force 
networks. 

02 

Yes/No 

Unit  enabled  and  facilitated  cyberspace  operations  outside  friendly  force 
networks. 

03 

Yes/No 

Unit  enforced  cyber  electromagnetic  policies  and  standards  that  guided  the 
development,  deployment,  and  management  of  personnel,  products,  and 
processes. 

Condition 

-  Using  network 
resources  while 
under  cyber  attack 

-  Operate  through 
degraded  network 
conditions 
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ART  5.9.1. 4  Conduct  Cyberspace  Support 

Units  conduct  cyberspace  support  actions  to  enable  cyberspace 
operations  and  the  accomplishment  of  the  mission.  (FM  3-38) 


No. 

Scale 

Measure 

01 

Yes/No 

Unit  performed  development,  engineering,  and  analysis  to  enable  the  enterprise 
network. 

02 

Yes/No 

Unit  conducted  legal,  regulatory,  and  policy  analysis  and  coordination. 

03 

Yes/No 

Unit  performed  vulnerability  assessments. 

04 

Yes/No 

Unit  performed  forensics. 

05 

Yes/No 

Unit  performed  remediation  in  response  to  unauthorized  intrusions  or 
attacks. 

Condition 

-  Using  network 
resources  while 
under  cyber  attack 

-  Operate  through 
degraded  network 
conditions 
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ART  5.9.1. 5  Develop  Cyberspace  Situational 
Awareness 

Units  develop  and  provide  cyberspace  situational  awareness  to  gather, 
process,  and  communicate  relevant  information  to  enable  cyberspace 

Condition 

-  Using  network 
resources  while 
under  cyber  attack 


conditions 


Operate  through 
degraded  network 


c 

c 

eratinr 

s  f  FM  3-3^  (\  IsAMnnnFi 

No. 

Scale 

Measure 

01 

Yes/No 

Unit  developed,  disseminated,  and  maintained  relevant  information  enabling  the 
commander  and  staff  to  achieve  situational  understanding  of  friendly  and 
adversary  use  of  cyberspace. 

02 

Yes/No 

Unit  conducted  cyberspace  information  collection  contributing  to  the 
common  operational  picture  and  answering  the  commander’s  critical 
information  requirements. 

03 

Yes/No 

Unit  coordinated  with  host  nation  to  develop  situational  awareness  of  critical 
infrastructure  and  key  resources. 

04 

YesMo 

Unit  identified  and  applied  the  legal  considerations,  intelligence  gains  or  losses, 
and  associated  risks  supporting  the  commander's  decisions  within  the  operations 
process. 
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Joint  Training  Manual  (cjcsm  3500.03D) 


Joint  Learning  Continuum 


Learning 


Performing 


Education 

Individual 

Training 

Self 

Development 

Experience 

Staff 

Training 

Unit 

Training 

Collective 

Training 


F amiliarization 


Certification 


Execution 


Individual 

Preparation 


Integrated  and  disciplined 
preparation 

to  defined  performance  standards 


Collective 

Preparation 


Indoctrination 


_ _ 


Joint 

Duty 

Mission 

Ready 

Joint 

Operations 


Qualification 


Validation 


Time 
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